Case 7:19-cv-05340-UA Document 1 Filed 06/06/19 Page 1 of 21 


UNITED STATES DISTRICT COURT 
SOUTHERN DISTRICT OF NEW YORK 


ROSA VILLARREAL, KARINA GRAS and 
JEFFREY GROSSMAN, individually and on behalf 
of all those similarly situated, 

Plaintiffs, 

v. 

AMERICAN MEDICAL COLLECTION AGENCY, 
INC., and LABORATORY CORPORATION OF 
AMERICA HOLDINGS, 

Defendants. 


Civil Action No. 


COMPLAINT and 
DEMAND FOR JURY TRIAL 


Plaintiffs Rosa Villarreal, Karina Gras and Jeffrey Grossman (“Plaintiffs”), individually 
and on behalf of all others similarly situated, through the undersigned counsel, hereby allege the 
following, against Defendants American Medical Collection Agency, Inc. (“AMCA”), and 
Laboratory Corporation of America Holdings (“LabCorp”) (collectively, “Defendants”). Based 
upon personal knowledge, information, belief, and investigation of counsel, Plaintiffs 
specifically allege as follows: 


SUMMARY OF THE CASE 


1. Plaintiffs bring this class action on behalf of a nationwide class and New York and 
Florida Sub-Classes (together, the “Classes”) against Defendants because of their failure to protect 
the confidential information of millions of patients—including financial information (e.g ., credit 
card numbers and bank account information), medical information, personal information (e.g., 
Social Security Numbers), and/or other protected health information as defined by the Health 
Insurance Portability and Accountability Act of 1996 (“HIPAA”) (collectively, their “Sensitive 
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Information”). Defendants’ wrongful disclosure has hanned Plaintiffs and the Classes, believed to 
include millions of individuals. 

JURISDICTION AND VENUE 

2. This Court has subject matter jurisdiction under the Class Action Fairness Act, 28 
U.S.C. § 1332(d) in that: (1) this is a class action involving more than 1,000 class members; (2) 
minimal diversity is present as Plaintiffs are citizens of Florida and New York (and the proposed 
class members are from various states), while Defendants are citizens of New York and North 
Carolina; and (3) the amount in controversy exceeds the sum of $5,000,000, exclusive of interest 
and costs. 

3. This Court has personal jurisdiction over Defendants because Defendants do business 
in and throughout the State of New York, and the wrongful acts alleged in this Complaint were 
committed in New York, among other venues. 

4. Venue is proper in this District pursuant to: (1) 28 U.S.C. § 1391(b)(2) in that a 
substantial part of the events or omissions giving rise to Plaintiffs’ claims occurred in this District, 
and 28 U.S.C. § 1391(d) because the transactions giving rise to the claims occurred in Elmsford, 
New York; and (2) 28 U.S.C. § 1391(b)(3) in that Defendants are subject to personal jurisdiction 
in this District. 

PARTIES 

5. Plaintiff Rosa Villarreal is an individual residing in Miami, Florida, who has been a 
patient of LabCorp and whose Sensitive Infonnation, on information and belief, was compromised 
in the Data Breach described herein. 
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6. Plaintiff Karina Gras is an individual residing in Miami, Florida, who has been a 
patient of LabCorp and whose Sensitive Information, on information and belief, was compromised 
in the Data Breach described herein. 

7. Plaintiff Jeffrey Grossman is an individual residing in Slingerlands, New York, who 
has been a patient of LabCorp and whose Sensitive Information, on information and belief, was 
compromised in the Data Breach described herein. 

8. Defendant American Medical Collection Agency, Inc. (“AMCA”) is a New York 
corporation with its principal place of business in Elmsford, New York. 

9. Defendant Laboratory Corporation of America Holdings (“LabCorp”) is a Delaware 
corporation with its principal place of business in Burlington, North Carolina. 

FACTUAL BACKGROUND 


10. LabCorp is one of the world’s leading providers of medical diagnostic testing services. 
It performs medical tests that aid in the diagnosis or detection of diseases, and that measure the 
progress of or recovery from a disease. Earlier this year, LabCorp disclosed that LabCorp 
Diagnostics processes “2.5 million patient specimens each week and has laboratory locations 
throughout the U.S.” LabCorp Form 10-K, Feb. 28, 2019 

11. On June 4, 2019, LabCorp publicly announced the following in a fding with the 

Securities and Exchange Commission (“SEC”): 

[LabCorp] has been notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a 
American Medical Collection Agency (AMCA) about unauthorized activity on 
AMCA’s web payment page (the AMCA Incident). According to AMCA, this 
activity occurred between August 1, 2018, and March 30, 2019. AMCA is an 
external collection agency used by LabCorp and other healthcare companies. 
LabCorp has referred approximately 7.7 million consumers to AMCA whose data 
was stored in the affected AMCA system. AMCA’s affected system included 
in formation provided by LabCorp. That information could include first and last 
name, date of birth, address, phone, date of service, provider, and balance 
information. AMCA’s affected system also included credit card or bank account 


3 



Case 7:19-cv-05340-UA Document 1 Filed 06/06/19 Page 4 of 21 


information that was provided by the consumer to AMCA (for those who sought to 
pay their balance). 

LabCorp Form 8-K, June 4, 2019. 

12. LabCorp further disclosed that “AMCA has informed LabCorp that it is in the process 
of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank 
account information may have been accessed. AMCA has not yet provided LabCorp a list of the 
affected LabCorp consumers or more specific information about them.” Id. 

13. On February 28, 2019, analysts at Gemini Advisory disclosed a data breach at AMCA 

which had affected approximately 200,000 customers: 

On February 28, 2019, Gemini Advisory identified a large number of compromised 
payment cards while monitoring dark web marketplaces. Almost 15% of these 
records included additional personally identifiable information (PII), such as dates 
of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A 
thorough analysis indicated that the information was likely stolen from the online 
portal of the American Medical Collection Agency (AMCA), one of the largest 
recovery agencies for patient collections. Several financial institutions also 
collaboratively confirmed the connection between the compromised payment card 
data and the breach at AMCA. 

American Medical Collection Agency breach impacted 200,000 patients - Gemini Advisory 
(available at https://www.databreaches.net/american-medical-collection-agencv-breach- 
impacted-200000-patients-gemini-advisory/) (accessed June 5, 2019). Gemini Advisory’s 
“research revealed that the exposure window lasted for at least seven months beginning in 
September, 2018.” Id. ACMA refused to answer questions from Gemini Advisory at the time. Id. 

14. LabCorp’s June 4, 2019 SEC filing does not indicate that it contacted AMCA about 
the issue at any point prior to this week. 

15. Defendants apparently allowed hackers to access Plaintiffs’ and other Class 
Members’ Sensitive Information for at least seven months and did nothing to let the victims know 
about the Data Breach for nearly a year after it began. 
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16. Although LabCorp should have kn own of the Data Breach no later than March 2019, 
and although AMCA knew of it far earlier than that, neither took any steps to notify patients whose 
information was affected until June 4, 2019, at which point LabCorp only did so through an SEC 
fding. 

17. Defendants had obligations, arising from promises made to patients like Plaintiffs and 
other Class Members, and based on industry standards, to keep the compromised Sensitive 
Information confidential and to protect it from unauthorized disclosures. Class Members provided 
their Sensitive Infonnation to LabCorp with the understanding that LabCorp and any business 
partners to whom LabCorp disclosed the Sensitive Information would comply with their 
obligations to keep such information confidential and secure from unauthorized disclosures. 

18. LabCorp promises patients that it will keep their Sensitive Information confidential, 
assuring patients that it patient financial “information may be accessed only by LabCorp 
employees who maintain password and job-required access rights, and third party vendors who 
support LabCorp’s billing operations.” Website Privacy Policy (available at 
https://www.labcorp.com/hipaa-privacv/web-privacv-policv) (accessed June 5, 2019). 

19. Defendants’ data security obligations and promises were particularly important given 
the substantial increase in data breaches — particularly those in the healthcare industry — 
preceding August 2018, which were widely known to the public and to anyone in Defendants’ 
industries. 

20. Defendants’ security failures demonstrate that they failed to honor their duties and 
promises by not: 

a. Maintaining an adequate data security system to reduce the risk of data 
breaches and cyber-attacks; 
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b. Adequately protecting Plaintiffs’ and the Classes’ Sensitive Information; 

c. Ensuring the confidentiality and integrity of electronic protected health information 
they created, received, maintained, or transmitted, in violation of 45 C.F.R. § 
164.306(a)(1); 

d. Implementing technical policies and procedures for electronic information systems 
that maintain electronic protected health information to allow access only to those 
persons or software programs that have been granted access rights, in violation of 
45 C.F.R. § 164.312(a)(1); 

e. Implementing policies and procedures to prevent, detect, contain, and 
correct security violations, in violation of 45 C.F.R. § 164.308(a)(l)(i); 

f. Implementing procedures to review records of information system activity 
regularly, such as audit logs, access reports, and security incident tracking reports 
in violation of 45 C.F.R. § 164.308(a)(l)(ii)(D); 

g. Protecting against any reasonably anticipated threats or hazards to the security or 
integrity of electronic protected health information, in violation of 45 C.F.R. § 
164.306(a)(2); 

h. Protecting against reasonably anticipated uses or disclosures of electronic 
protected health infonnation that are not permitted under the privacy rules 
regarding individually identifiable health information, in violation of 45 C.F.R. § 
164.306(a)(3); 

i. Ensuring compliance with the electronically protected health information security 
standard rules by their workforces, in violation of 45 C.F.R. § 164.306(a)(4); and/or 
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j. Training all members of their workforces effectively on the policies and procedures 
with respect to protected health information as necessary and appropriate for the 
members of their workforces to carry out their functions and to maintain security 
of protected health information, in violation of 45 C.F.R. § 164.530(b). 

It is Well-Established That Data Breaches Lead to Identity Theft 

21. Plaintiffs and other Class Members have been injured by the disclosure of their 
Sensitive Information in the Data Breach. 

22. The United States Government Accountability Office noted in a June 2007 report on 
Data Breaches (“GAO Report”) that identity thieves use identifying data such as Social Security 
Numbers to open financial accounts, receive government benefits and incur charges and credit in 
a person’s name. 1 As the GAO Report states, this type of identity theft is the most harmful because 
it often takes some time for the victim to become aware of the theft, and the theft can impact the 
victim’s credit rating adversely. 

23. In addition, the GAO Report states that victims of identity theft will face “substantial 
costs and inconveniences repairing damage to their credit records” and their “good name.” 2 

24. Identity theft victims frequently are required to spend many hours and large amounts 
of money repairing the impact to their credit. Identity thieves use stolen personal information such 
as social security numbers (“SSNs”) for a variety of crimes, including credit card fraud, phone or 
utilities fraud, and/or ba nk /finance fraud. 


See Personal Information: Data Breaches Are Frequent, hut Evidence of Resulting Identity Theft is 
Limited: However, the Full Extent Is Unknown (June 2007), United States Government Accountability Office, 
available at <https://www.gao.gov/new.items/d07737.pdf> (last visited June 4, 2019). 

2 Id. at 2, 9 
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25. There may be a time lag between when Sensitive Information is stolen and when it is 
used. According to the GAO Report: 

[L]aw enforcement officials told us that in some cases, stolen data may be held for 
up to a year or more before being used to commit identity theft. Further, once stolen 
data have been sold or posted on the Web, fraudulent use of that information may 
continue for years. As a result, studies that attempt to measure the harm resulting 
from data breaches cannot necessarily rule out all future harm. 3 

26. With access to an individual’s Sensitive Information, criminals can do more than just 
empty a victim’s bank account—they can also commit all manner of fraud, including: obtaining a 
driver’s license or official identification card in the victim’s name but with the thief s picture; using 
the victim’s name and SSN to obtain government benefits; or, filing a fraudulent tax return using 
the victim’s infonnation. In addition, identity thieves may obtain a job using the victim’s SSN, rent 
a house, or receive medical services in the victim’s name. Identity thieves may even give the 
victim’s personal infonnation to police during an arrest, resulting in an arrest warrant being issued 
in the victim’s name. 4 

27. Sensitive Infonnation is such a valuable commodity to identity thieves that once the 
information has been compromised, criminals often trade the information on the “cyber black- 
market” for years. As a result of recent large-scale data breaches, identity thieves and cyber¬ 
criminals have openly posted stolen credit card numbers, SSNs, and other Sensitive Information 
directly on various Internet websites making the information publicly available. 


3 Id. at 29 (emphasis supplied). 

4 See Federal Trade Commission, Warning Signs of Identify Theft, available at 
https://www.identitytheft.gov/Warning-Signs-of-Identitv-Theft (last visited June 4, 2019). 


8 




Case 7:19-cv-05340-UA Document 1 Filed 06/06/19 Page 9 of 21 


28. A study by Experian found that the “average total cost” of medical identity theft is 
“about $20,000” per incident, and that a majority of victims of medical identity theft were forced 
to pay out-of-pocket costs for healthcare they did not receive in order to restore coverage. 5 

29. Indeed, data breaches and identity theft have a crippling effect on individuals and 
detrimentally impact the entire economy as a whole. Medical databases are especially valuable to 
identity thieves. According to a 2012 Nationwide Insurance report, “[a] stolen medical identity has 
a $50 street value - whereas a stolen social security number, on the other hand, only sells for $ 1 .” 6 
In fact, the medical industry has experienced disproportionally higher instances of computer theft 
than any other industry. 

CLASS ALLEGATIONS 


30. In accordance with Federal Rules of Civil Procedure 23(b)(2) and (b)(3), Plaintiffs 
bring this case as a class action on behalf of a Nationwide Class, and New York and Florida Sub- 
Classes, defined as follows: 

Nationwide Class : All persons in the United States whose Sensitive 
Information was maintained on the AMCA systems that were 
compromised as a result of the breach announced by LabCorp on or 
around June 4, 2019. 

New York Sub-Class : All persons in the State of NewYork whose 
Sensitive Information was maintained on the AMCA systems that were 
compromised as a result of the breach announced by FabCorp on or around 
June 4, 2019. 

Florida Sub-Class : All persons in the State of Florida whose Sensitive 
Information was maintained on the AMCA systems that were 
compromised as a result of the breach announced by FabCorp on or around 
June 4, 2019. 


5 See Elinor Mills, Study: Medical identity theft is costly for victims, CNET, (Mar. 3, 2010) 
https://www.cnet.com/news/studv-medical-identitv-theft-is-costly-for-victims (last visited June 4, 2019). 

6 See Study; Few Aware of Medical Identity Theft Risk, Claims Journal, 
http://www.claimsjournal.com/news/national/2012/06/14/208510.htm (last visited June 4, 2019). 
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31. The Classes are each so numerous that joinder of all members is impracticable. On 
in formation and belief, the Classes each have more than 1,000 members. Moreover, the disposition 
of the claims of the Classes in a single action will provide substantial benefits to all parties and the 
Court. 

32. There are numerous questions of law and fact common to Plaintiffs and Class 
Members. These common questions of law and fact include, but are not limited to, the following: 

a. Whether Defendants’ data security systems prior to the Data Breach complied with 
all applicable legal requirements; 

b. Whether Defendants’ data security systems prior to the Data Breach met industry 
standards; 

c. Whether Plaintiffs’ and other Class members’ Sensitive Information was 
compromised in the Data Breach; and 

d. Whether Plaintiffs’ and other Class members are entitled to damages as a result of 
Defendants’ conduct. 

33. Plaintiffs’ claims are typical of the claims of the Classes’ claims. Plaintiffs suffered 
the same injury as Class Members— i.e., upon information and belief, Plaintiffs’ Sensitive 
Information was compromised in the Data Breach. 

34. Plaintiffs will fairly and adequately protect the interests of the Classes. Plaintiffs have 
retained competent and capable attorneys with significant experience in complex and class action 
litigation, including data breach class actions. Plaintiffs and their counsel are committed to 
prosecuting this action vigorously on behalf of the Classes and have the financial resources to do 
so. Neither Plaintiffs nor their counsel have interests that are contrary to or that conflict with those 
of the proposed Classes. 
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35. Defendants have engaged in a common course of conduct toward Plaintiffs and other 
Class Members. The common issues arising from this conduct that affect Plaintiffs and Class 
Members predominate over any individual issues. Adjudication of these common issues in a single 
action has important and desirable advantages of judicial economy. 

36. A class action is the superior method for the fair and efficient adjudication of this 
controversy. Class Members’ interests in individually controlling the prosecution of separate 
actions are low given the magnitude, burden, and expense of individual prosecutions against large 
corporations such as Defendants. It is desirable to concentrate this litigation in this forum to avoid 
burdening the courts with individual lawsuits. Individualized litigation presents a potential for 
inconsistent or contradictory judgments, and also increases the delay and expense to all parties and 
the court system presented by the legal and factual issues of this case. By contrast, the class action 
procedure here will have no management difficulties. Defendants’ records and the records 
available publicly will easily identify the Class Members. The same common documents and 
testimony will be used to prove Plaintiffs’ claims 

37. A class action is appropriate under Fed. R. Civ. P. 23(b)(2) because Defendants have 
acted or refused to act on grounds that apply generally to Class Members, so that final injunctive 
relief or corresponding declaratory relief is appropriate as to all Class Members. 

FIRST COUNT 

Negligence 

(On behalf of Plaintiffs and the Nationwide Class) 

38. Plaintiffs reallege and incorporate by reference all preceding factual allegations. 

39. LabCorp required Plaintiffs and Class Members to submit non-public Sensitive 
Information to obtain medical services, which LabCorp provided to AMCA for billing purposes. 
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40. By collecting and storing this data, and sharing it and using it for commercial gain, 
Defendants both had a duty of care to use reasonable means to secure and safeguard this Sensitive 
Information, to prevent disclosure of the information, and to guard the information from theft. 

41. Defendants’ duty included a responsibility to implement a process by which they 
could detect a breach of their security systems in a reasonably expeditious period of time and give 
prompt notice to those affected in the case of a data breach. 

42. Defendants also owed a duty of care to Plaintiffs and members of the Classes to 
provide security consistent with industry standards and the other requirements discussed herein, 
and to ensure that their systems and networks—and the personnel responsible for them adequately 
protected their customers’ Sensitive Information. 

43. Defendants’ duty to use reasonable security measures arose as a result of the special 
relationship that existed between LabCorp and its patients, which is recognized by laws including 
but not limited to HIPAA. Only Defendants were in a position to ensure that their systems were 
sufficient to protect against the harm to Plaintiffs and the members of the Classes from a data 
breach. 

44. Defendants’ duty to use reasonable security measures also arose under HIPAA, 
pursuant to which Defendants are required to “reasonable protect” confidential data from “any 
intentional or unintentional use or disclosure” and to “have in place appropriate administrative, 
technical, and physical safeguards to protect the privacy of protected health information.” 45 
C.F.R. § 164.530(c)(1). The confidential data at issue in this case constitutes “protected health 
information” within the meaning of HIPAA. 

45. In addition, Defendants had a duty to use reasonable security measures under Section 
5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair . . . practices in 
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or affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of 
failing to use reasonable measures to protect confidential data. 

46. Defendants’ duty to use reasonable care in protecting confidential data arose not only 
as a result of the common law and the statutes and regulations described above, but also because 
they are bound by, and have committed to comply with, industry standards for the protection of 
confidential Sensitive Information. 

47. Defendants breached their common law, statutory and other duties—and thus, were 
negligent—by failing to use reasonable measures to protect patients’ Sensitive Information, and 
by failing to provide timely notice of the Data Breach. 

48. The specific negligent acts and omissions committed by Defendants include, but are 
not limited to, the following: 

a. failing to adopt, implement, and maintain adequate security measures to safeguard 
Plaintiffs’ and Class Members’ Sensitive Information; 

b. failing to adequately monitor the security of AMCA’s network and systems; 

c. allowing unauthorized access to Plaintiffs’ and Class Members’ Sensitive 
Information; 

d. failing to recognize in a timely manner that Plaintiffs’ and other Class Members’ 
Sensitive Infonnation had been compromised; and 

e. failing to warn Plaintiffs and other Class Members about the Data Breach in a 
timely manner so that they could take appropriate steps to mitigate the potential for 
identity theft and other damages. 

49. It was foreseeable that Defendants’ failure to use reasonable measures to protect 
Sensitive Information and to provide timely notice of the Data Breach would result in injury to 
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Plaintiffs and other Class Members. Further, the breach of security, unauthorized access, and 
resulting injury to Plaintiffs and the members of the Classes were reasonably foreseeable. 

50. It was therefore foreseeable that the failure to adequately safeguard Sensitive 
Information would result in one or more of the following injuries to Plaintiffs and the members of 
the proposed Class: ongoing, imminent, certainly impending threat of identity theft crimes, fraud, 
and abuse, resulting in monetary loss and economic harm; actual identity theft crimes, fraud, and 
abuse, resulting in monetary loss and economic hann; loss of the confidentiality of the stolen 
confidential data; the illegal sale of the compromised data on the deep web black market; expenses 
and/or time spent on credit monitoring and identity theft insurance; time spent scrutinizing bank 
statements, credit card statements, and credit reports; expenses and/or time spent initiating fraud 
alerts; decreased credit scores and ratings; lost work time; and other economic and non-economic 
harm. 

51. Accordingly, Plaintiffs, individually and on behalf of all those similarly situated, seek 
an order declaring that Defendants’ conduct constitutes negligence and awarding damages in an 
amount to be determined at trial. 

SECOND COUNT 
Breach of Implied Contract 
(On behalf of Plaintiffs and the Nationwide Class) 

52. Plaintiffs reallege and incorporate by reference all preceding paragraphs as if fully 
set forth herein. 

53. When Plaintiffs and Class members paid money and provided their Sensitive 
Information to Defendants in exchange for services, they entered into implied contracts with 
Defendants pursuant to which Defendants agreed to safeguard and protect such information and to 
timely and accurately notify them if their data had been breached and compromised. 
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54. Defendants solicited and invited prospective clients and other consumers to provide 
their Sensitive Information as part of its regular business practices. These individuals accepted 
Defendants’ offers and provided their Sensitive Information to Defendants. In entering into such 
implied contracts, Plaintiffs and the Class assumed that Defendants’ data security practices and 
policies were reasonable and consistent with industry standards, and that Defendants would use 
part of the funds received from Plaintiffs and the Class to pay for adequate and reasonable data 
security practices. 

55. Plaintiffs and the Class would not have provided and entrusted their Sensitive 
Information to Defendants in the absence of the implied contract between them and Defendants to 
keep the information secure. 

56. Plaintiffs and the Class fully perfonned their obligations under the implied contracts 
with Defendants. 

57. Defendants breached their implied contracts with Plaintiffs and the Class by failing 
to safeguard and protect their Sensitive Information and by failing to provide timely and accurate 
notice that their personal information was compromised as a result of a data breach. 

58. Asa direct and proximate result of Defendants’ breaches of their implied contracts, 
Plaintiffs and the Class sustained actual losses and damages as described herein. 

THIRD COUNT 

Violation of New York General Business Law § 349 
(On behalf of Plaintiffs and the Nationwide Class) 

59. Plaintiffs reallege and incorporate by reference all preceding factual allegations. 

60. Defendants, while operating in New York, engaged in deceptive acts and practices 
in the conduct of business, trade and commerce, and the furnishing of services, in violation of N.Y. 
Gen. Bus. Law § 349(a). This includes but is not limited to the following: 
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a. Defendants failed to enact adequate privacy and security measures to 
protect the Class Members’ Sensitive from unauthorized disclosure, release, data 
breaches, and theft, which was a direct and proximate cause of the Data Breach; 

b. Defendants failed to take proper action following known security risks and prior 
cybersecurity incidents, which was a direct and proximate cause of the Data Breach; 

c. Defendants knowingly and fraudulently misrepresented that they would maintain 
adequate data privacy and security practices and procedures to safeguard the 
Sensitive Information from unauthorized disclosure, release, data breaches, and 
theft; 

d. Defendants omitted, suppressed, and concealed the material fact of Defendants’ 
reliance on, and inadequacy of, AMCA’s security protections; 

e. Defendants knowingly and fraudulently misrepresented that they would comply 
with the requirements of relevant federal and state laws pertaining to the privacy 
and security of Sensitive Information, including but not limited to duties imposed 
by HIPAA; and 

f. Defendants failed to disclose the Data Breach to the victims in a timely and accurate 
manner, in violation of the duties imposed by, inter alia, N.Y. Gen Bus. Law § 899- 
aa(2). 

61. As a direct and proximate result of Defendants’ practices, Plaintiffs and other 
Class Members suffered injury and/or damages, including but not limited to time and expenses 
related to monitoring their financial and medical accounts for fraudulent activity, an increased, 
imminent risk of fraud and identity theft, and loss of value of their Sensitive Information. 
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62. The above unfair and deceptive acts and practices and acts by Defendants were 
immoral, unethical, oppressive, and unscrupulous. These acts caused substantial injury to Plaintiffs 
and other Class Members that they could not reasonably avoid, which outweighed any benefits to 
consumers or to competition. 

63. Defendants knew or should have kn own that AMCA’s computer systems and data 
security practices were inadequate to safeguard Sensitive Infonnation entrusted to it, and that risk 
of a data breach or theft was highly likely. Defendants’ actions in engaging in the above-referenced 
unfair practices and deceptive acts were negligent, knowing and willful. 

64. Plaintiffs seek relief under N.Y. Gen. Bus. Law § 349(h), including but not limited 
to actual damages (to be proven at trial), treble damages, statutory damages, injunctive relief, 
and/or attorney’s fees and costs. The amount of such damages is to be determined at trial but will 
not be less than $50.00 per violation. Id. 

65. Plaintiffs and Class Members seek to enjoin such unlawful deceptive acts and 
practices described above. Each Class Member will be irreparably harmed unless the Court enjoins 
Defendants’ unlawful, deceptive actions in that Defendants will continue to fail to protect Sensitive 
Information entrusted to them, as detailed herein. 

66. Plaintiffs and Class Members seek declaratory relief, restitution for monies 
wrongfully obtained, disgorgement of ill-gotten revenues and/or profits, injunctive relief 
prohibiting Defendant from continuing to disseminate its false and misleading statements, and 
other relief allowable under N.Y. Gen. Bus. Law § 349. 
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FOURTH COUNT 

Violation of the Florida Deceptive and Unfair Trade Practices Act, 

§ 501.201 et seq., Fla. Stat. (“FDUTPA”) 

(On behalf of Plaintiffs and the Nationwide Class) 

67. Plaintiffs reallege and incorporate by reference each of the allegations set forth 

above. 

68. Plaintiffs are “consumers” who used their credit cards to make payments to 
LabCorp. See § 501.203(7), Fla. Stat. 

69. FDUTPA prohibits “unfair methods of competition, unconscionable acts or 
practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce.” § 
501.204, Fla. Stat. 

70. LabCorp, by failing to inform consumers (including Plaintiffs and Class Members) 
of its unsecure, non-compliant, and otherwise insufficient data and information security practices, 
advertised, sold, serviced, and otherwise induced those consumers to purchase goods and services 
from LabCorp. 

71. LabCorp knew or should have known that its computer systems and data security 
practices were inadequate to safeguard Plaintiffs’ and Class Members’ Sensitive Information, and 
that the risk of a data breach was highly likely. 

72. LabCorp should have disclosed this information regarding its computer systems 
and data security practices because LabCorp was in a superior position to know the true facts 
related to its defective data security. 

73. Florida law requires notification of data breaches upon identification. Upon 
information and belief, LabCorp identified the Data Breach as early as March 2019, but only 
notified consumers on June 4, 2019, and therefore left those consumers at risk for the months in 
between discovery and notification. 
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74. LabCorp’s failures constitute false and misleading representations, which have the 
capacity, tendency, and effect of deceiving or misleading consumers (including Plaintiffs and 
Class Members) regarding the security of its network and aggregation of Sensitive Information. 

75. The representations upon which consumers (including Plaintiffs and Class 
Members) relied were material representations ( e.g ., as to LabCorp’s adequate protection of 
Sensitive Information), and consumers (including Plaintiffs and Class Members) relied on those 
representations to their detriment. 

76. LabCorp employed these false representations to promote the sale of a consumer 
good or service, which Plaintiffs and Class Members purchased. 

77. As a direct and proximate result of LabCorp’s unconscionable, unfair, and 
deceptive acts or practices, Plaintiffs and Class Members have suffered and will continue to suffer 
injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy, and 
damages as prescribed by § 501.211(2), Fla. Stat., including attorneys’ fees. 

WHEREFORE, Plaintiffs and Class Members demand judgment as follows: 

A. Certification of the action as a Class Action pursuant to Federal Rule of Civil 
Procedure 23, and appointment of Plaintiffs as Class Representatives and their counsel of record 
as Class Counsel; 

B. That acts alleged herein be adjudged and decreed to constitute negligence and 
amount to violations of HIPAA and the consumer protection laws of New York, Florida, and other 
states; 

C. A judgment against Defendants for the damages sustained by Plaintiffs and the 
Classes defined herein, and for any additional damages, penalties, and other monetary relief 
provided by applicable law; 
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D. By awarding Plaintiffs and Class Members pre-judgment and post-judgment 
interest as provided by law, and that such interest be awarded at the highest legal rate from and 
after the date of service of the Complaint in this action; 

E. The costs of this suit, including reasonable attorney fees; and 

F. Such other and further relief as the Court deems just and proper. 

JURY TRIAL DEMANDED 

Plaintiffs, individually and on behalf of all those similarly situated, hereby requests a jury 
trial, pursuant to Federal Rule of Civil Procedure 38, on any and all claims so triable. 


Dated: June 6, 2019 Respectfully submitted, 

/s/ Christopher A. Seeger 

Christopher A. Seeger (CS-4880) 

Jennifer Scullion 
Parvin Aminolroaya 
SEEGER WEISS LLP 
77 Water Street 
8th Floor 

New York, NY 10005 
(212) 584-0700 
cseeger@seegerweiss.com 
j scullion@seegerweiss. com 
paminolroaya@seegerweiss.com 

Linda P. Nussbaum (LN-9336) 

Bart D. Cohen 

NUSSBAUM LAW GROUP, P.C. 

1211 Avenue of the Americas, 40th Floor 
New York, NY 10036-8718 
(917)438-9189 
lnussbaum@nussbaumpc.com 
bcohen@nussbaumpc.com 
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Michael E. Criden 
CRIDEN & LOVE, P.A. 

7301 SW 57th Court, Ste. 515 
South Miami, FL 33143 
(305)357-9000 
mcriden@cridenlove.com 

Counsel for Plaintiffs and the 
Proposed Class 


21 


